Is this just my US-centric view of the world saying this or is it really a questionable move if one values their personal safety?
Anyway this is very much the topic of more than one novel I'm sure and given he has survived to blog the tale I guess I can be less concerned about his welfare.
For the former, read his book Spam Nation. It is a wonderful book from the beginning of his adventures into infosec journalism. I finished it in three days.
krebsonsecurity.com/tag/spam-nation/
Mexico is a very dangerous place for journalists and becoming more dangerous every year, but even when we hear about Mexican journalists getting murdered, it's usually for pointing fingers much higher up than "ATM hackers" (the most famous recent case has to do with an investigation into a Governor's activities). One has to assume the threshold for causing an international incident is even higher. The people being busted here are "just" scammers, even if embedded within a larger criminal network.
p.s. My only qualification for answering this is having lived in Mexico. I claim no knowledge of criminal structures there other than what is known from general news and culture. I would not bet my own life on this analysis.
He is depriving a criminal gang of a source of income. That feels risky!
The only way I would have written a factual - as in, not blatantly made up - blog post like we just read (absent basically any mention whatsoever of personal danger) is if the whole thing really took place in Southeast China, oh, and in 1996, oh and it wasn't ATM machines it was vending machines - and it wasn't bluetooth it was FM radio. With literally every detail changed. Throw in a picture of a hotel in Mexico and you're good to go.
The alternative, that he is just making all of this up, seems just so much more plausible.
I've now also watched the video. I don't know - would bluetooth signals from deep inside a machine - as you can see, in the video, the bluetooth transmitter is occluded by an entire printed circuit board - go all the way across the lobby to reach him? (as in the video)
Secondly, since it is SO innocuous to take out a cell phone in front of an ATM (I would have zero qualms doing this) to check, wouldn't this post have generated literally hundreds of comments from people checking an ATM and finding said signal? Nobody would mind doing that.
(By the way, I don't have an issue with the "laziness" of the solution he purportedly uncovered, i.e. transmitting a bluetooth device signal with the default name, as it is not obvious how to make a transmitter turn on only in response to a signal from a commodity cell phone that has nothing incriminating on it. So technologically it seems to be okay for me.)
But the whole story doesn't really add up. Someone else here mentions that supposedly he regularly reads some spammer forum where they coordinated sending him cocaine in the mail and then SWATting his house. This just seems so incredibly unlikely to me - i.e. a fabrication. How many forums can one person read?
It just seems to be made up. (Unless he changed huge amounts of details to other, similar details). But that seems unlikely.
So yeah, you are pretty much risking a grusome ending.
US is paying a price for building up China overseas instead of next door neighbors instead.
If it were me, I would have either:
1. Require a secret pin to be entered in order to activate the bluetooth. 2. Don't use bluetooth. For example the nRF51822 chip (e.g. in this module [1] allows you to implement your own radio protocols. You could make it impossible to detect - it could only respond when send a secret code of some sort.
[1] http://www.seeedstudio.com/depot/Seeed-Micro-BLE-Module-w-Co...
In a sense, hackers are really good MVP creators. Make something that works and optimize on cash flow.
And once more I consider scraping the mag-stripe off my debit card.
I would think chip and pin should mitigate this kind of card skimming though...
